Cyber & Data Risk Insurance
-
date post
19-Oct-2014 -
Category
Design
-
view
247 -
download
2
description
Transcript of Cyber & Data Risk Insurance
Focused on the Business of InsuranceSM © Nelson Levine de Luca & Hamilton, LLC
HEALTHCARE HIGHLIGHTS 6th Annual Advanced Forum on Cyber & Data Risk Insurance
September 27, 2012
Presented by:
Kimberly B. Holmes, Esq. Chubb Group of Insurance Companies
Christopher Keegan Senior Vice President, Willis
John F. Mullen, Esq. Nelson, Levine, de Luca & Hamilton
Focused on the Business of InsuranceSM
Healthcare - What We Know
• Highly regulated industry
– HIPAA
– HITECH
– State data privacy and breach notification laws
• Business Associate requirements are a moving target
– Third party due diligence has always been a problem
• Covered Entities held to a higher standard
– Your customers simply expect more – and they vote with their feet when they don’t get it
Focused on the Business of InsuranceSM
What’s Here Now and What’s On the Horizon
• Electronic Medical Records (EMRs)
– Operation/Implementation Challenges
• Fair Information Principles Will Apply
• Health Insurance Exchanges (HIEs)
– HIPAA Compliance Challenges
• Who is and isn’t a Covered Entity?
• Operation/Implementation Challenges
– States will vary in Compliance protocols
Focused on the Business of InsuranceSM
EMRs – The New Reality
• The shift toward electronic health records has gained great momentum
• Meaningful use, and interoperability, are big concerns – more data in motion, more data at risk
• The first round of EHR incentive payments for meaningful use occurred
earlier this year
Focused on the Business of InsuranceSM
EMR—Compliance Costs
• Secure conversion • Secure storage • Administrative safeguards • Technical safeguards • Physical safeguards
Focused on the Business of InsuranceSM
EMR—Cost of Non-compliance
• Exposure to OCR/AG Actions
• Fines
• Punitive damages
Focused on the Business of InsuranceSM
EMR—Electronic Security
• During conversion
• Physical security of paper documents
• Secure electronic transmission
• Secure electronic storage
• Secure conversion facility
• After conversion
• Secure destruction of paper records
• Secure electronic storage
Focused on the Business of InsuranceSM
Health Insurance Exchanges
• Required under Affordable Care Act (ACA) to be implemented by Jan. 2014
• Some states will operate themselves
• Some states will establish through partnership with federal government and its contractors
• Facilitate the purchase of health insurance coverage by small businesses and individuals
• Determine eligibility and reviewing plans for compliance with required benefits packages
• Facilitating online availabilty of plans
• Processing Enrollment
Focused on the Business of InsuranceSM
Health Insurance Exchanges (Cont’d.)
• To date, most HIEs have been set up as government or quasi-government entities and are thus NOT “Covered Entities” under HIPAA
• Participating Insurers (Qualified Health Plans) ARE still Covered Entities
• Must continue to comply with HIPAA as well as any new privacy/security requirements imposed by the exchanges on their participating plan
• HHS final rule established no single minimum standards, but directed HIEs to develop privacy/security policies based on FTC Fair Information Practice Principles
Focused on the Business of InsuranceSM
• HITECH Act
– Extends HIPAA to “business associates” of covered entities.
• Eg. claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management
– Permits State Attorneys General to bring civil actions in federal court.
• First AG suit filed against Health Net Connecticut in January 2010 alleging failure to properly encrypt portable data (violating HIPAA) and failure to timely provide notice (suit settled: $250K fine, 2 ears credit monitoring, additional $500K fine if person suffers ID theft as result of breach)
– Civil monetary penalties range from $50K - $1.5m per violation , per calendar year.
– Provides for mandatory audits by the Sec. of HHS to ensure data security policies and procedures are compliant, and implemented.
Compliance & Notice Regulations
Focused on the Business of InsuranceSM
Compliance & Notice Regulations
• HITECH Act – Civil Penalties
– Cignet Health – HHS fined Cignet $4.3 million (Feb. 2011)
• Cignet failed to provide patients access to their own health information as required by HIPAA (fine $1.3 mil) and failed to cooperate with HHS’s investigation (fine $3 mil)
• First fine by HHS for violations of HIPAA Privacy Rule provisions
– Massachusetts General Hospital – Settlement with HHS in amount of $1 million (Feb. 2011)
• Settlement for alleged violations of HIPAA (paper records lost on subway)
Focused on the Business of InsuranceSM
HealthNet - Case Study
• May of 2009: Portable computer disk drive with 446,000 private records lost/stolen from HealthNet Connecticut.
• November 2009: HealthNet goes public about the breach, notifying the affected individuals and the Attorney General.
• January 2010: Connecticut Attorney General files suit against HealthNet alleging:
– Improper handling of the breach event
– Failure to timely notify affected individuals and AG’s office
– 12 violations of HIPAA privacy and security rules
Focused on the Business of InsuranceSM
HealthNet - Case Study
• OUTCOME: July 7, 2010 HealthNet Settles Suit
• HealthNet will pay CT $250,000 in statutory damages and implement a corrective action plan.
• If misuse of the data is established, such as actual identity theft, Health Net will pay CT an additional $500,000 in statutory damages.
• HealthNet incurred costs of over $7 Mil to forensically investigate, provide notification and credit monitoring…
Focused on the Business of InsuranceSM
RECENT HIPAA/HITECH BREACHES
• Massachusetts Eye and Ear – September, 2012 • Alaska Department of Health and Human Services – June, 2012 • Phoenix Cardiac Surgery – April, 2012 • Blue Cross Blue Shield of Tennessee – March, 2012 • Health Net Connection—January 2010
Focused on the Business of InsuranceSM
Class Action Claims • Litigation
• Breach guidance • Investigation • Notification • E-discovery • Litigation prep • Contractual review • Defense (MDL?)
• Plaintiffs Demands • Fraud reimbursement • Credit monitoring • Identity monitoring • Civil fines and/or penalties • Time
Focused on the Business of InsuranceSM
Class Action—Tricare
• September, 2011: Backup tapes containing PHI of 4.9m patients treated at San Antonio military facilities between 1992 and September 7, 2011 stolen from vehicle of Tricare contractor Science Applications International Corp. employee
• PHI—names, addresses, phone numbers, clinical notes, laboratory tests, prescription information, social security numbers
• September 14, 2011: Science App. notifies Tricare
• September 29, 2011: Tricare begins patients notifications • Tricare did not offer credit monitoring
Focused on the Business of InsuranceSM
Tricare, cont’d
• October 11, 2011: lawsuit filed, alleging, among other things: • Tricare operations manual requires notification no later than ten days
after discovery of breach • Tricare was repeatedly informed of recurring, systemic, and
fundamental deficiencies in its information security but failed to effectively respond
• Lawsuit seeks an award of $4,900,000,000--$1,000 for each affected individual
Focused on the Business of InsuranceSM
Class Action—Sutter Health
• October 15-16, 2011: Sutter Health’s administrative offices burglarized, and a desktop PC, among other things, was stolen, containing:
• Names, addresses, dates of birth, phone number, and email of 3.3m Sutter
Physican Services patients that were treated between 1995 and January, 2011 • Information on medical diagnosis and procedures for 943,000 Sutter Medical
Foundation patients treated between 2005 and January, 2011
• October 17, 2011: theft reported to police • November 15, 2011: Sutter Health began notifying affected individuals • November 16, 2011: first lawsuit filed; twelve filed thus far
Focused on the Business of InsuranceSM
So What Else Keeps HIPAA Privacy Officers Up at Night?
• Employee Clinics • Cloud Computing • Social Media Challenges • Encryption of Portable Devices and Tracking—Where is the PHI?
Focused on the Business of InsuranceSM
Questions?
Kimberly B. Holmes, Esq.
(860) 408-2017
Christopher Keegan
(212) 915-8276
John F. Mullen, Esq.
(215) 358-5154